diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 7b24ef8..9f1d4d8 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -37,18 +37,18 @@ allow local_login_t self:capability { dac_override chown fowner fsetid kill setg allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow local_login_t self:process { setrlimit setexec }; allow local_login_t self:fd use; -allow local_login_t self:fifo_file { read getattr lock ioctl write append }; -allow local_login_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow local_login_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow local_login_t self:fifo_file rw_file_perms; +allow local_login_t self:unix_dgram_socket create_socket_perms; +allow local_login_t self:unix_stream_socket create_stream_socket_perms; allow local_login_t self:unix_dgram_socket sendto; allow local_login_t self:unix_stream_socket connectto; -allow local_login_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow local_login_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow local_login_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow local_login_t self:shm create_shm_perms; +allow local_login_t self:sem create_sem_perms; +allow local_login_t self:msgq create_msgq_perms; allow local_login_t self:msg { send receive }; -allow local_login_t local_login_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow local_login_t local_login_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow local_login_t local_login_tmp_t:dir create_dir_perms; +allow local_login_t local_login_tmp_t:file create_file_perms; files_create_private_tmp_data(local_login_t, local_login_tmp_t, { file dir }) kernel_read_system_state(local_login_t) @@ -139,7 +139,7 @@ allow local_login_t var_t:lnk_file read; dontaudit local_login_t sysfs_t:dir search; -allow local_login_t autofs_t:dir { search read getattr }; +allow local_login_t autofs_t:dir r_dir_perms; allow local_login_t mnt_t:dir r_dir_perms; # FIXME: what is this for? @@ -198,14 +198,14 @@ allow local_login_t power_device_t:chr_file { getattr setattr }; allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow sulogin_t self:fd use; -allow sulogin_t self:fifo_file { read getattr lock ioctl write append }; -allow sulogin_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow sulogin_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; +allow sulogin_t self:fifo_file rw_file_perms; +allow sulogin_t self:unix_dgram_socket create_socket_perms; +allow sulogin_t self:unix_stream_socket create_stream_socket_perms; allow sulogin_t self:unix_dgram_socket sendto; allow sulogin_t self:unix_stream_socket connectto; -allow sulogin_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; -allow sulogin_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; -allow sulogin_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow sulogin_t self:shm create_shm_perms; +allow sulogin_t self:sem create_sem_perms; +allow sulogin_t self:msgq createmsgq_perms; allow sulogin_t self:msg { send receive }; kernel_read_system_state(sulogin_t) diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if index 1c7c822..da6e482 100644 --- a/refpolicy/policy/modules/system/lvm.if +++ b/refpolicy/policy/modules/system/lvm.if @@ -15,10 +15,7 @@ define(`lvm_transition',` requires_block_template(`$0'_depend) - allow $1 lvm_exec_t:file { getattr read execute }; - allow $1 lvm_t:process transition; - type_transition $1 lvm_exec_t:process lvm_t; - dontaudit $1 lvm_t:process { noatsecure siginh rlimitinh }; + domain_auto_trans($1, lvm_exec_t, lvm_t) allow $1 lvm_t:fd use; allow lvm_t $1:fd use; @@ -80,14 +77,15 @@ define(`lvm_transition_add_role_use_terminal_depend',` define(`lvm_read_config',` requires_block_template(`$0'_depend) - allow $1 lvm_etc_t:dir { getattr search read }; - allow $1 lvm_etc_t:file { getattr read }; + allow $1 lvm_etc_t:dir r_dir_perms; + allow $1 lvm_etc_t:file r_file_perms; ') define(`lvm_read_config_depend',` type lvm_t, lvm_exec_t; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ## diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index e070a82..5e1e0ff 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -39,32 +39,32 @@ allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; -allow lvm_t self:file { read getattr lock ioctl }; -allow lvm_t self:fifo_file { ioctl read getattr lock write append }; -allow lvm_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow lvm_t self:file r_file_perms; +allow lvm_t self:fifo_file rw_file_perms; +allow lvm_t self:unix_dgram_socket create_socket_perms; -allow lvm_t lvm_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow lvm_t lvm_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow lvm_t lvm_tmp_t:dir create_dir_perms; +allow lvm_t lvm_tmp_t:file create_file_perms; files_create_private_tmp_data(lvm_t, lvm_tmp_t, { file dir }) # /lib/lvm- holds the actual LVM binaries (and symlinks) allow lvm_t lvm_exec_t:dir search; -allow lvm_t lvm_exec_t:{ file lnk_file } { read getattr lock ioctl }; +allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms; # LVM is split into many individual binaries -allow lvm_t lvm_exec_t:file { getattr read execute execute_no_trans }; +can_exec(lvm_t, lvm_exec_t) # Creating lock files -allow lvm_t lvm_lock_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow lvm_t lvm_lock_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow lvm_t lvm_lock_t:dir ra_dir_perms; +allow lvm_t lvm_lock_t:file create_file_perms; files_create_private_lock_file(lvm_t,lvm_lock_t) -allow lvm_t lvm_etc_t:file { read getattr lock ioctl }; -allow lvm_t lvm_etc_t:lnk_file { getattr read }; +allow lvm_t lvm_etc_t:file r_file_perms; +allow lvm_t lvm_etc_t:lnk_file r_file_perms; # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d -allow lvm_t lvm_etc_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow lvm_t lvm_metadata_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow lvm_t lvm_metadata_t:dir { read getattr lock search ioctl add_name remove_name write }; +allow lvm_t lvm_etc_t:dir rw_dir_perms; +allow lvm_t lvm_metadata_t:file create_file_perms; +allow lvm_t lvm_metadata_t:dir rw_dir_perms; type_transition lvm_t lvm_etc_t:file lvm_metadata_t; files_create_private_config(lvm_t,lvm_metadata_t,file) diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if index d55dbe6..70c997d 100644 --- a/refpolicy/policy/modules/system/miscfiles.if +++ b/refpolicy/policy/modules/system/miscfiles.if @@ -51,15 +51,15 @@ define(`miscfiles_read_fonts',` # FIXME: search usr_t dir # FIXME: search lib_t dir # cjp: fonts can be in either of the above dirs - allow $1 fonts_t:dir { getattr read search }; - allow $1 fonts_t:file { getattr read }; + allow $1 fonts_t:dir r_dir_perms; + allow $1 fonts_t:file r_file_perms; ') define(`miscfiles_read_fonts_depend',` type fonts_t; - class dir { getattr read search }; - class file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; ') ######################################## @@ -81,9 +81,9 @@ define(`miscfiles_read_localization',` # FIXME: $1 read etc_t:lnk_file here # FIXME: $1 search usr_t:dir here - allow $1 locale_t:dir { getattr read search }; - allow $1 locale_t:lnk_file { getattr read }; - allow $1 locale_t:file { getattr read }; + allow $1 locale_t:dir r_dir_perms; + allow $1 locale_t:lnk_file r_file_perms; + allow $1 locale_t:file r_file_perms; # why? libraries_read_library_resources($1) @@ -92,9 +92,9 @@ define(`miscfiles_read_localization',` define(`miscfiles_read_localization_depend',` type locale_t; - class dir { getattr read search }; - class lnk_file { getattr read }; - class file { getattr read }; + class dir r_dir_perms; + class lnk_file r_file_perms; + class file r_file_perms; ') ######################################## @@ -142,17 +142,17 @@ define(`miscfiles_read_man_pages',` requires_block_template(`$0'_depend) # FIXME: search usr_t dir - allow $1 man_t:dir { getattr read search }; - allow $1 man_t:file { getattr read }; - allow $1 man_t:lnk_file { getattr read }; + allow $1 man_t:dir r_dir_perms; + allow $1 man_t:file r_file_perms; + allow $1 man_t:lnk_file r_file_perms; ') define(`miscfiles_read_man_pages_depend',` type man_t; - class dir { getattr read search }; - class file { getattr read }; - class lnk_file { getattr read }; + class dir r_dir_perms; + class file r_file_perms; + class lnk_file r_file_perms; ') ## diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index d33871f..fac2c0a 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -16,7 +16,7 @@ define(`modutils_read_kernel_module_dependencies',` requires_block_template(`$0'_depend) bootloader_list_kernel_modules($1) - allow $1 modules_dep_t:file { getattr read }; + allow $1 modules_dep_t:file r_file_perms; ') define(`modutils_read_kernel_module_dependencies_depend',` @@ -41,13 +41,13 @@ define(`modutils_read_kernel_module_dependencies_depend',` define(`modutils_read_kernel_module_loading_config',` requires_block_template(`$0'_depend) - allow $1 modules_conf_t:file { getattr read }; + allow $1 modules_conf_t:file r_file_perms; ') define(`modutils_read_kernel_module_loading_config_depend',` type modules_conf_t; - class file { getattr create read write setattr unlink }; + class file r_file_perms; ') ######################################## @@ -65,10 +65,7 @@ define(`modutils_read_kernel_module_loading_config_depend',` define(`modutils_insmod_transition',` requires_block_template(`$0'_depend) - allow $1 insmod_exec_t:file { getattr read execute }; - allow $1 insmod_t:process transition; - type_transition $1 insmod_exec_t:process insmod_t; - dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh }; + domain_auto_trans($1, insmod_exec_t, insmod_t) allow $1 insmod_t:fd use; allow insmod_t $1:fd use; @@ -126,7 +123,7 @@ define(`modutils_insmod_transition_add_role_use_terminal_depend',` define(`modutils_insmod_execute',` requires_block_template(`$0'_depend) - allow $1 insmod_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1, insmod_exec_t) ') define(`modutils_insmod_execute_depend',` @@ -149,10 +146,7 @@ define(`modutils_insmod_execute_depend',` define(`modutils_depmod_transition',` requires_block_template(`$0'_depend) - allow $1 depmod_exec_t:file { getattr read execute }; - allow $1 depmod_t:process transition; - type_transition $1 depmod_exec_t:process depmod_t; - dontaudit $1 depmod_t:process { noatsecure siginh rlimitinh }; + domain_auto_trans($1, depmod_exec_t, depmod_t) allow $1 depmod_t:fd use; allow depmod_t $1:fd use; @@ -207,7 +201,7 @@ define(`modutils_depmod_transition_add_role_use_terminal_depend',` define(`modutils_depmod_execute',` requires_block_template(`$0'_depend) - allow $1 depmod_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1, depmod_exec_t) ') define(`modutils_depmod_execute_depend',` @@ -230,10 +224,7 @@ define(`modutils_depmod_execute_depend',` define(`modutils_update_modules_transition',` requires_block_template(`$0'_depend) - allow $1 update_modules_exec_t:file { getattr read execute }; - allow $1 update_modules_t:process transition; - type_transition $1 update_modules_exec_t:process update_modules_t; - dontaudit $1 update_modules_t:process { noatsecure siginh rlimitinh }; + domain_auto_trans($1, update_modules_exec_t, update_modules_t) allow $1 update_modules_t:fd use; allow update_modules_t $1:fd use; @@ -272,13 +263,13 @@ define(`modutils_update_modules_transition_add_role_use_terminal',` modutils_update_modules_transition($1) role $2 types update_modules_t; - allow update_modules_t $3:chr_file { getattr read write ioctl }; + allow update_modules_t $3:chr_file rw_file_perms; ') define(`modutils_update_modules_transition_add_role_use_terminal_depend',` type update_modules_t; - class chr_file { getattr read write ioctl }; + class chr_file rw_file_perms; ') ######################################## @@ -288,7 +279,7 @@ define(`modutils_update_modules_transition_add_role_use_terminal_depend',` define(`modutils_update_modules_execute',` requires_block_template(`$0'_depend) - allow $1 update_modules_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1, update_modules_exec_t) ') define(`modutils_update_modules_execute_depend',` diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 7d16483..5806112 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -41,13 +41,13 @@ files_make_temporary_file(update_modules_tmp_t) allow insmod_t self:capability { dac_override net_raw sys_tty_config }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; -allow insmod_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -allow insmod_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +allow insmod_t self:udp_socket create_socket_perms; +allow insmod_t self:rawip_socket create_socket_perms; # Read module config and dependency information -allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read }; +allow insmod_t { modules_conf_t modules_dep_t }:file r_file_perms; -allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans }; +can_exec(insmod_t, insmod_exec_t) kernel_load_module(insmod_t) kernel_read_system_state(insmod_t) @@ -121,12 +121,12 @@ allow insmod_t usbfs_t:filesystem mount; # depmod local policy # -allow depmod_t depmod_exec_t:file { getattr read execute execute_no_trans }; +can_exec(depmod_t, depmod_exec_t) # Read conf.modules. -allow depmod_t modules_conf_t:file { getattr read }; +allow depmod_t modules_conf_t:file r_file_perms; -allow depmod_t modules_dep_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow depmod_t modules_dep_t:file create_file_perms; bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t) kernel_read_system_state(depmod_t) @@ -167,26 +167,23 @@ r_dir_file(depmod_t, { staff_home_t sysadm_home_t }) # update-modules local policy # -allow update_modules_t self:fifo_file { getattr read write }; +allow update_modules_t self:fifo_file rw_file_perms; -allow update_modules_t modules_dep_t:file { getattr read write }; +allow update_modules_t modules_dep_t:file rw_file_perms; -allow update_modules_t insmod_exec_t:file { getattr read execute execute_no_trans }; -allow update_modules_t update_modules_exec_t:file { getattr read execute execute_no_trans }; +can_exec(update_modules_t, insmod_exec_t) +can_exec(update_modules_t, update_modules_exec_t) # manage module loading configuration -allow update_modules_t modules_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow update_modules_t modules_conf_t:file create_file_perms; bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t) files_create_private_config(update_modules_t,modules_conf_t) # transition to depmod -allow update_modules_t depmod_exec_t:file { getattr read execute }; -allow update_modules_t depmod_t:process transition; -type_transition update_modules_t depmod_exec_t:process depmod_t; -dontaudit update_modules_t depmod_t : process { noatsecure siginh rlimitinh }; +domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t) -allow update_modules_t update_modules_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; -allow update_modules_t update_modules_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow update_modules_t update_modules_tmp_t:dir create_dir_perms; +allow update_modules_t update_modules_tmp_t:file create_file_perms; files_create_private_tmp_data(update_modules_t, update_modules_tmp_t, { file dir }) kernel_read_kernel_sysctl(update_modules_t)